WordPress MU < 2.6 wpmu-blogs.php Crose Site Scrpting vulnerability

2008-09-30 / 2008-10-01
Credit: Juan Galiana
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - Security Advisory - - - WordPress MU < 2.6 wpmu-blogs.php Crose Site Scrpting vulnerability - - ----------------------------------------------------------------------- Product: Wordpress-MU (multi-user) Version: Versions prior to 2.6 are affected Url: http://mu.wordpress.org Affected by: Coss Site Scripting Attack I. Introduction. Wordpress-MU, or multi-user, allows to run unlimited blogs with a single install of wordpress. It's widely used, some examples are WordPress.com or universities like Harvard II. Description and Impact Wordpress-MU is affected by a Cross Site Scripting vulnerability, an attacker can perform an XSS attack that allows him to access the targeted user cookies to gain administrator privileges In /wp-admin/wpmu-blogs.php an attacker can inject javascript code, the input variables "s" and "ip_address" of GET method aren't properly sanitized Here is a poc: PoC: http://site/path/wp-admin/wpmu-blogs.php?action=blogs&s=%27[XSS] PoC: http://site/path/wp-admin/wpmu-blogs.php?action=blogs&ip_address=%27[XSS] The impact is the attacker can gain administrator privileges on the application. III. Timeline May 14th, 2008 - Bug discovered May 14th, 2008 - Vendor contacted and the start of a syncronized code patching May 16th, 2008 - MU trunk code fixed July 28th, 2008 - WPMU 2.6 released September 2nd, 2008 - WPMU 2.6.1 released September 29th, 2008 - Security advisory released IV. Solution Upgrade to version 2.6 or upper of wordpress multi-user. It can be downloaded from http://mu.wordpress.org V. Credits Juan Galiana Lara <jgaliana gmail com> http://blogs.ua.es/jgaliana -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFI4UoerJ7V/gP9Hy8RArw3AJkB1a1sgO5T9dvO9tbU0/QxE8DxFQCeJCiw yFDGBIx6Q5oyIKNEq4ZZ4Wc= =uQu6 -----END PGP SIGNATURE-----

References:

http://seclists.org/fulldisclosure/2008/Sep/0582.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top